GrokSheet: Hacking

The Gist

Note: This groksheet is a work in progress. Hacking in SR4 is fairly complex and at the same time a bit vague in places. Most of this is based on the main rulebook. This may change as I dig deeper into Unwired and the errata.

Breaking and Entering
  • Hacking on the fly
    • Hacking + Exploits (Firewall, 1 initiative pass) to break in
    • Target gets free extended Firewall + Analyze (Stealth, 1 initiative pass) test to detect the hacker
  • Probing for exploits
    • Hacking + Exploits (System+Firewall, 1 hour in VR or 1 day in AR) to find an exploit
    • Complex Action to use exploit to log in
    • Target gets one attempt at Firewall + Analyze (Stealth) to detect the hack
    • Back doors may remain open for some time, reusable
  • Security access adds +3 to threshholds for hacking. Admin access adds +6
  • Detection by the firewall results in an alert
Doing the Deed
  • Computer + Logic or appropriate program for actions permitted under the current access level
  • Hacking + Logic or appropriate program for unauthorized access and other illegal operations
  • Glitching results in a low-level alert
  • Primary threat from security riggers and roaming IC

It seems the only way to hack undetected is via stealth, using Hacking+Stealth to avoid the patroling security hackers and IC’s Matrix perception tests (if any), since attacking either will generally sound some sort of alarm. Possible to Spoof Command to convince IC that one is a legitimate user, or create an exemption list to remove oneself from a particular piece of IC’s scan list. Then only live security hackers are a threat. Possibly too much power for the hacker.

Hardware Modes

Active: Default mode for a standard PAN. Allows open access to the user’s public interface and user is assumed to be signed in and registered with the local LAN. Somewhat similar to logging into an IRC server, registering your nick, and logging into the main channels.

Passive: Advertised to the LAN but not actively logged in and ignoring outside connections. Roughly equivalent to logging into the IRC server but not joining any channels. User is available for private messaging, usually filtered, but does not see broadcasts.

Hidden: Stealth mode. Device does not broadcast or handshake with the LAN, insteady monitors signals. The rules seem to imply a certain level of directional signaling possible with even standard comlinks, so that communication with outside sources is possible without announcing oneself to the entire network. This seems a bit unrealistic even by SR standards, considering the size of most commlinks and the degree of precision that would be required. Eh.

Hardware Stats

Response (Hardware): Processing power and speed. Matrix Initiative is Response+Intuition. Every (System) programs running reduces Response by 1.

Signal (Hardware): The Flux Rating of the device. Signal 0 = 3m, Signal 4 = 1km. Devices can only communicate if within range of the weaker signal.

Firewall (Software): The built in security of the OS. Used to defend against Matrix attacks.

System (Software): OS multitasking and control ability. Max software rating runable on a system = System. Max programs running without reducing system speed = System-1. Max subscribers = System x 2. Matrix condition monitor = System/2 + 8.

Device Rating: Used for non-Commlink systems, usually. Single score used for all hardware stats.

Pilot: AI algorithms. Used for Computer, Cybercombat, Data Search and Hacking skills when a device is operating independently. Also used for mental attributes.



Examine icons, files, other users, etc in the Matrix or AR using Computer + Analyze with standard Perception test thresh. If hiding, the roll is opposed by Hacking/Firewall + Stealth (depending on whether it is a user or a program/node trying to hide).


3 levels of user access are defined:

Personal: Standard end user access levels. Can access files assigned to the user or made publicly available to the User group. Usually have read-only access to important files they are not directly responsible for. Usage may be heavily monitored.

Security: Broader access, usually across user groups (either all or a subset), possibly with the ability to access Personal level files of other users.

Admin: Root access to the system. Authorization to do anything with any files, including actions which threaten the integrity of the system or important data.

Standard electronic devices only have Admin accounts, as there is no need for personal or security access for their lone user.

Breaking In

If a hacker doesn’t have a valid login for either a Personal, Security or Admin account, he’ll need to hack in. There are two ways of doingthis:

Hacking on the fly: Hacker spends a Complex Action and makes an extended Hacking + Exploit roll with a thresh equal to the target firewall, reroll allowed every initiative pass. The system being hacked makes an extended Analyze + Firewall test with a thresh of the hacker’s Stealth program rating. If the node makes it’s thresh before the hacker gets access, it triggers an alert and may shut down outside access, alert a user, launch IC, etc.

Probing the target: Hacking from home, Wargames style. The hacker makes an extended Hacking + Exploit test with a thresh of the target System + Firewall. The reroll interval is 1 hour if done in VR, or 1 day if done in AR. Once the thresh is passed, the hacker takes a Complex Action to log into the system using the exploit he discovered. When he does so, the target system gets a single Analyze + Firewall test with a thresh of the hacker’s Stealth program rating. If it makes it, the target is detected. Glitches during the probe test will alert the target system of the probe, allowing it to take whatever security steps are deemed appropriate. Back doors discovered in this way may remain open for some time, unless the hacker triggers an alert which results in a search for such vulnerabilities and the patching of the system.

Access Levels: The above hacking attempts get you Personal level access on the target system, with no assigned personal files, just access to group files. Any attempts to do anything beyond accessing those files will require seperate hacking rolls. Hacking a Security access account ups the thresh of the attempt by +3. Hacking Admin access ups it by +6. Remember, most simple electronic devices have only Admin access on them.


Sweet Tooth has been cornered by a street sam. He can’t take him in combat, so he desperately tries to hack the guy’s cyber long enough to escape. He’s got Hacking 6 and is running a shit-hot deck with a system of 5 and has his Exploit and Stealth both running at max (5). The sam’s no fool, and is running Iris Orb on his link, for a Firewall and System of 3, and is running Analyze at 3 in the background. ST just wants to get in, and luckily the sam’s comlink is set up for Personal level access, so he only needs 3 hits to match the sam’s firewall. The sam’s link gets to roll 6 dice to detect ST’s intrusion, but only gets 3 hits.. good, but he’s still unaware of the hack, and ST is in, so he doesn’t get another try. Now if ST can just hack the sam’s smartlink from here.. If the sam had been really smart and had admin-only access on his link, ST would have had to accumulate a total of 9 hits. Rolling _extremely well next pass, he gets 5 hits, just 1 shy from breaking in. The sam’s link gets to roll again, scoring only 1 hit, for a total of 4, 1 away from spotting STs hack. Unfortunately, he also rolled three 1s on six dice, a glitch! The GM decides that ST’s jiggering has gotten the sam’s firewall overexcited, and in it’s bulldog furor, it deletes a hefty chunk of the sam’s own ID info, effectively ‘losing his keys’. ST easily makes the extra success he needs next pass, getting him superuser access on the sam’s own link. And admin gives him total control of the link and all devices attached to it, like the sam’s gun, his cybereyes, even his wired reflexes._

Eliza doesn’t trust the Johnson her fixer hooked her team up with for this run. Enough that she wants to get some dirt on him and check out his files to make sure he’s legit. She Traced him during the meet, so she knows his access ID and can track his link down wherever she needs to. He’s a corp Johnson, though, so he’s got a fairly hefty Firewall and System, 4 each, and is running max level Analyze. He’s also smart enough to have only Admin access on his link, so Eliza’s going to need 14 hits to get to him. Eliza decides to use a public terminal for the job, reducing her usual program levels to 3. She starts up her probe, rolling her 6 Hacking and 3 Exploit every hour. A couple of bad rolls and 6 hours later, she has the 10 hits she needs, and has discovered an unpatched vulnerability on the Johnson’s link. She makes her Complex Action and takes over root access on the machine. The link gets one chance to notice her, rolling 8 dice vs. her Stealth of 3. Bad luck for Eliza.. it gets 5 hits, more than enough to see through her measly Stealth algorithms and sound an alert. She’d better act quick!

Doing The Deed

When logged into an account, the hacker can perform a number of legitimate actions on the system using Computer + Logic or an appropriate Computer + Program if available. Typical actions include editing data, repairing damaged icons, launching traces on other connections to the node, transferring data, controlling connected devices, or rebooting the node.

If the hacker’s account doesn’t have priviledges to perform those actions, he’ll need to use Hacking instead of Computer skill.

Some activities are never authorized on a node, and require hacking to accomplish no matter what. This includes crashing programs or the node’s OS (though crashing the OS simply causes a system reset in most cases), disarming Data Bomb IC, eavesdropping on traffic, redirecting traces, spoofing commands or spoofing a datatrail.

As written, there does not appear to be any significant difference between Computer and Hacking skill, except the increased chance of glitching, which usually triggers a system alert. The chance of glitching is fairly small for a skilled hacker with decent programs. This leaves detection during the initial hacking attempt and afterwards by security riggers or roaming IC as the primary danger in hacking.


Gamma Ray Running direbunny